b'       OFFICE OF INSPECTOR GENERAL\n\n                                 Catalyst for Improving the Environment\n\n\n\nMemorandum Report\n\n\n\n\n        Survey Results on Information\n        Used by Water Utilities to\n        Conduct Vulnerability\n        Assessments\n\n\n        Report No. 2004-M-0001\n\n\n        November 21, 2003\n\x0cAbbreviations\n\nAWWA         American Water Works Association\n\nCDC          Centers for Disease Control and Prevention\n\nDHS          Department of Homeland Security\n\nDWG          Domestic Working Group\n\nEPA          Environmental Protection Agency\n\nFBI          Federal Bureau of Investigation\n\nWater-ISAC Water Information Sharing and Analysis Center\n\nNRWA         National Rural Water Association\n\nSCADA        Supervisory Control and Data Acquisition\n\x0c                             UNITED STATES ENVIRONMENTAL PROTECTION AGENCY\n                                          WASHINGTON, D.C. 20460\n\n\n                                                                                                       OFFICE OF\n                                                                                                  INSPECTOR GENERAL\n\n\n\n\n                                              November 21, 2003\n\n\nMEMORANDUM\n\n\nSUBJECT:          Survey Results on Information Used by Water Utilities to Conduct Vulnerability\n                  Assessments\n\nFROM:             Jeffrey K. Harris\n                  Director for Program Evaluation, Cross-Media Issues\n\nTO:               Tracy Mehan\n                  Assistant Administrator for Office of Water\n\n\nRecent terrorist activities and incidents such as the blackout in the midwest and northeast United\nStates have demonstrated the crucial role of water sector infrastructures in the health and\neconomic well-being of the Nation. The Environmental Protection Agency (EPA) is the lead\nFederal agency for safe drinking water and for protecting the infrastructure that supplies the\nwater. While EPA has made efforts to prepare water utilities for dealing with terrorist activities,\nthe goal of a secure water supply needs the participation and coordination of water utilities with\nlocal, State, and Federal agencies.\n\nRecognizing that Federal, State and local levels of government have a vested interest in water\nsecurity, we suggested that the Domestic Working Group (DWG)1, an informal group of local,\nState, and Federal auditors, develop a survey focusing on the security needs and tools of their\nlocal water systems. The objective of the survey was to gather feedback on the usefulness of\nwater security information provided to utilities by EPA and other sources. Specifically, the\nsurvey helped determine the following:\n\n\xe2\x80\x9a        Did EPA and other Federal, State, and local agencies provide useful threat and risk\n         information to water utilities to conduct vulnerability assessments as required by the\n         Public Health Security and Bioterrorism Preparedness and Response Act of 2002\n         (\xe2\x80\x9cBioterrorism Act\xe2\x80\x9d)?\n\n\n         1\n          Individual DWG members volunteer to work on issues of common interest. Each organization conducts\nwork individually that forms the foundation for specific organization audits that can be compiled to support a more\ngeneralized assessment or benchmark.\n\n                        DRAFT - FOR REVIEW AND COMMENT PURPOSES ONLY\n\x0c\xe2\x80\x9a      What are the needs of utilities with regard to financial assistance, training, and procedural\n       changes to improve security?\n\n\xe2\x80\x9a      What information can be collected and analyzed that would depict changes in security\n       levels at water utilities?\n\nAlthough no response is required to this draft memorandum, if you would like to provide one,\nplease do so within 15 days. Your comments should address the factual accuracy of the\ninformation in the memorandum and the related suggestions. If you are providing a response,\nplease e-mail an electronic version of your response to harris.jeffrey@epa.gov. We will issue\nthis memorandum without change in 15 days unless you provide comments. We plan to close the\nfinal memorandum upon issuance since it does not contain recommendations.\n\nThis is a draft memorandum prepared by EPA\xe2\x80\x99s Office of Inspector General. This draft is subject\nto revision by the Office of Inspector General and, therefore, does not represent the final position\nof the Office of Inspector General on the subjects reported. It is provided to you solely for the\npurpose of obtaining your review and comments. You are not authorized to distribute or disclose\nthis draft or its contents, except that you may distribute it to other persons in your organization to\nobtain their review and comments on the subjects reported.\n\nIf you or your staff have any questions, please call me at (202) 566-0831.\n\n\n\n\n                     DRAFT - FOR REVIEW AND COMMENT PURPOSES ONLY\n\x0c                                   Table of Contents\n\n\nSections\n   Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1\n   Usefulness of Information Provided by EPA and Others to Water Utilities . . . . . . . . . . . . . . 5\n   Improvements Needed to Secure Water Systems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10\n   Performance Indicators that EPA Could Use to Measure Improvements\n   in Water Security Levels . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14\n\n\n\n\nAppendices\n   A          Survey of Water Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16\n\n\n\n\n                                                               Figures\n\n  1:       Number of Utilities Surveyed . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4\n  2:       Satisfaction with Threat Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6\n  3:       Satisfaction with Detection Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7\n  4:       Satisfaction with Delay Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8\n  5:       Satisfaction with Response and Consequence Information . . . . . . . . . . . . . . . . . . 9\n  6:       Satisfaction with Remote Access Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10\n  7:       Number of Utilities That Would Like Additional Information . . . . . . . . . . . . . . . . . . 11\n  8:       Amount of Money Water Utilities Expect to Spend in the Next 12 Months\n           on Security Improvements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12\n  9:       How Water Utilities Plan to Pay for Security Improvements . . . . . . . . . . . . . . . . . 13\n\x0cIntroduction\n\nAgencies overseeing efforts to enhance the security of the Nation\xe2\x80\x99s drinking water infrastructure,\nsuch as EPA, may benefit from the observations of water utilities participating in the DWG\nsurvey regarding (1) the usefulness of water security information, (2) remaining security needs,\nand (3) potential measures of security, to identify areas needing improvement. For example, the\nsurvey shows that, while EPA and groups such as the American Water Works Association\n(AWWA) provided useful information, the survey respondents most frequently listed consultants\nhired by water utilities as providing useful information. This suggests a possible disadvantage to\nsmaller utilities, which are required to complete vulnerability assessments by June 2004 but,\nunlike larger utilities, may not be able to afford a consultant. The combined results of the DWG\nsurvey cannot be interpreted as representing conditions within the water industry or the Nation\nbecause the results only represent the opinions of 16 water utilities that volunteered to respond to\nthe survey and do not represent all water utilities.\n\nIn addition, all the utilities surveyed had concerns for water security including: additional\ninformation regarding vulnerabilities; financing security improvements; training assistance;\nresearch; and procedural changes. For example, the Water Information Sharing and Analysis\nCenter (Water-ISAC)2 could provide utilities useful threat information, but Water-ISAC is not\navailable without a subscription fee. Survey respondents also stated that they needed financial\nassistance to make necessary security enhancements, training exercises to prepare for actual\nevents, and research to detect contaminants in the distribution system.\n\nThe survey found that the following performance indicators could be used to measure changes in\nwater security levels:\n\n1.      Length of time a water utility could provide water during or after a security incident.\n2.      Detection and response times.\n3.      Ability to detect contaminants in the water system.\n4.      Ability to detect attempted intrusions into the remote access system, commonly known as\n        the Supervisory Control and Data Acquisition (SCADA) system.\n\nBackground\n\nThe Nation\xe2\x80\x99s water supply is one of our most vital natural resources. Potential threats to this\nresource include contamination with biological, chemical, or radiological agents, or damage and\ndestruction of the water plant. Despite concerns from industry and Congress that the Federal\ngovernment should not require specific approaches for water security, and that solutions should\n\n        2\n           The Water-ISAC is an information service developed to provide the Nation\xe2\x80\x99s drinking water systems with\na secure Web-based environment for early warning of potential threats and a source of knowledge about water\nsystem security. Water-ISAC analysts produce and disseminate physical and cyber security information to the water\nsector relying on information gathered from Federal intelligence, law enforcement, public health and environment\nagencies and utility security incident reports. The Water-ISAC was developed with funding from EPA, and is\navailable to water utilities on a subscription fee basis.\n\n                       DRAFT - FOR REVIEW AND COMMENT PURPOSES ONLY\n                                                        1\n\x0cbe developed by local water utilities themselves, EPA plays an important role in the security of\nthe Nation\xe2\x80\x99s water supply. Presidential Decision Directive 63, issued in May 1998, designated\nEPA as the lead agency for assuring the protection of the Nation\xe2\x80\x99s water infrastructure. The\nterrorist attacks on September 11, 2001 resulted in passage of the Bioterrorism Act and its\nrequirement that water utilities conduct vulnerability assessments.3\n\nVulnerability assessments help water systems evaluate susceptibility to potential threats and\ndesign response plans and corrective actions to lessen the risk of serious consequences.\nVulnerability assessments help determine how well water systems detect security problems and\nstop or delay undesired events, as well as measure response capabilities.\n\nEPA developed a Strategic Plan for Homeland Security (\xe2\x80\x9cPlan\xe2\x80\x9d), dated September 2002, which\nstates that EPA will work with the States, tribes, drinking water utilities, and other partners to\nenhance the security of water utilities. The Plan articulates tactics to execute the Plan which\ninclude the provision of tools, training, and technical assistance to help water utilities\xe2\x80\x99 conduct\nvulnerability assessments, implement security improvements, and effectively respond to terrorist\nevents.\n\nScope and Methodology\n\nTo learn about the usefulness of information water utilities received from EPA and other Federal,\nState, and local agencies, the DWG developed, pre-tested, and administered a Survey of Water\nSecurity (see Appendix A). We conducted our review in accordance with Government Auditing\nStandards, issued by the Comptroller General of the United States. Each DWG auditor\nadministered the survey to their local water utility,4 and the EPA Office of Inspector General\ncompiled the individual surveys and summarized the results in this report. Due to concerns about\nreleasing sensitive water utility information under a Freedom of Information Act request, the\nDWG participants made an overt choice not to inquire about specific sensitive vulnerability\ninformation. Six of the 22 water utilities who volunteered decided not to participate in the\nsurvey due to concerns regarding the release of information to the public.\n\nWater utilities have a number of information sources available to assist them in conducting a\nvulnerability assessment. We asked utilities to provide an assessment of the usefulness of the\ninformation obtained from the following sources:\n\n\n\n        3\n           The Bioterrorism Act required that water utilities serving a population greater than 3,300 persons conduct\nvulnerability assessments according to a utility\xe2\x80\x99s size. Water utilities serving 100,000 or more users had to conduct\ntheir assessments by March 31, 2003; mid-sized utilities serving between 50,000 and 99,999 users must conduct their\nassessments by December 31, 2003; and small utilities serving between 3,300 and 49,999 users must conduct their\nassessments by June 30, 2004.\n        4\n         Six separate auditors conducted surveys at six different water utilities; the seven New York surveys were\nconducted by one auditor; two of the California surveys were conducted by one auditor; and one water utility\nvolunteered to provide survey information, for a total of 16 surveys.\n\n                        DRAFT - FOR REVIEW AND COMMENT PURPOSES ONLY\n                                                         2\n\x0c             Environmental Protection Agency (EPA)             Water Information Sharing and Analysis\n                                                               Center (Water-ISAC)\n\n             Federal Bureau of Investigation (FBI)             InfraGard5\n\n             Department of Homeland Security (DHS)             National Rural Water Association\n                                                               (NRWA)\n\n             Centers for Disease Control and                   American Water Works Association\n             Prevention (CDC)                                  (AWWA)\n\n             Other Federal Agencies                            Water Consultant Hired by Utility\n\n             State Agencies                                    Water Security Expert\n\n             Local Law Enforcement\n\n\n\n\nThe survey requested information from water utilities in the following areas:\n\n\xe2\x80\xa2        Usefulness of information obtained from EPA and other Federal, State and local\n         agencies to conduct vulnerability assessments. Respondents were asked to rate their\n         satisfaction on a scale of \xe2\x80\x9c1\xe2\x80\x9d (Not Very Useful) to \xe2\x80\x9c5\xe2\x80\x9d (Very Useful).\n\n\xe2\x80\xa2        Resources and training needed by water utilities. Respondents were asked to provide\n         needed information and resources to better improve the security of their water systems\n         from terrorist attack.\n\n\xe2\x80\xa2        Data and performance measures that could track changes in water security levels.\n         Respondents were asked to provide suggestions for these measures.\n\nLimitations of the Survey\n\nIt is important to note that the survey results represent only the opinions of 16 water utilities,\nincluding seven from the State of New York, that volunteered to respond to the survey and\nshould not be generalized to represent all water utilities nationally. We analyzed the survey data\nand did not find that the seven utilities from New York State provided similar responses which\nwould have disproportionately influenced the results. In addition, the performance indicators\n\n\n         5\n         InfraGard is an information sharing and analysis effort led by the FBI and an association of businesses,\nacademic institutions, and State and local law enforcement agencies. InfraGard provides private sector infrastructure\nowners and operators information about cyber intrusions, exploited vulnerabilities, and infrastructure threats.\n\n                         DRAFT - FOR REVIEW AND COMMENT PURPOSES ONLY\n                                                         3\n\x0csuggested may not be comprehensive since they are based on a sample of utilities that may not\nhave experience with performance measurement and may have been influenced by the examples\nin the survey. While the survey results are limited to 16 utilities, we believe the information\npresented in this report could help EPA, other agencies, and water utilities focus their efforts on\nthe security issues identified. Also, the survey responses are of particular interest to the local and\nState DWG auditors who administered the survey and may have oversight responsibilities for\ntheir local water utilities. It is not our intention to critique the judgments of individual water\nutilities or sources who provided the information.\n\nCharacteristics of the Survey Population\n\nThe 16 water utilities surveyed in six States identified in Figure 1 represent various geographical\nareas, size of populations served, and stages in the vulnerability and emergency response process.\n\nThe utilities surveyed ranged in the size of populations served. Four utilities surveyed serve\nsmall populations of 3,300 - 99,999 users while 12 utilities surveyed serve large populations of\ngreater than 100,000 users.\n\nOf the 16 utilities surveyed, 14 have completed the vulnerability assessment process, and 15 used\nconsultants to assist in the preparation of vulnerability assessments. The remaining utility was\nthe smallest survey respondent and the superintendent of its water plant conducted the\nvulnerability assessment. Six of the utilities have also completed their emergency response\nplans. Only one of the utilities has completed implementing its security enhancements.\n\n                               Figure 1: Number of Utilities Surveyed\n\n\n\n\n                    1                                    1\n\n                                                                        7\n\n\n\n\n                3                                                               2\n\n\n\n\n                                                                            2\n\n\n\n\n                        DRAFT - FOR REVIEW AND COMMENT PURPOSES ONLY\n                                                  4\n\x0cUsefulness of Information Provided by EPA and Others to Water Utilities\n\nThe survey shows that a variety of sources provided useful information to help water utilities\nprepare vulnerability assessments. Utilities cited consultants hired to assist in the preparation of\nvulnerability assessments most frequently as sources that provided useful information. Small\nutilities required to complete vulnerability assessments by June 30, 2004 may not be able to hire\nconsultants and could be disadvantaged. Utilities also cited other sources such as EPA, AWWA,\nWater-ISAC, and local law enforcement as providing useful information. However, the survey\nresults show that utilities did not always obtain information from all possible sources.\n\nAs we reported in EPA Needs to Assess the Quality of Vulnerability Assessments Related to the\nSecurity of the Nation\xe2\x80\x99s Water Supply (Report No. 2003-M-00013), dated September 24, 2003,\nthe vulnerability assessment is a threat-driven process. EPA is responsible for providing\nadequate threat information to water utilities in order to prepare vulnerability assessments. EPA\ndid this through a variety of methods. First, EPA provided $53 million toward grants to the\nlargest water utilities. Utilities primarily used the grants to hire water security consultants to\nassist in conducting vulnerability assessments. EPA also provided $21 million in grants to\nprovide drinking water security training to medium and small water utilities. Further, EPA\nutilized the Water-ISAC and the AWWA to provide threat information to water utilities.\nAccording to the Bioterrorism Act, however, the responsibility for determining which threats to\nprotect against ultimately resides with each water utility.\n\nWe identified five key security activities or capabilities critiqued through the vulnerability\nassessment process.\n\n\n  \xe2\x80\xa2      Threat Identification\n  \xe2\x80\xa2      Detection\n  \xe2\x80\xa2      Delay\n  \xe2\x80\xa2      Response and Consequence\n  \xe2\x80\xa2      Remote Access\n\n\n\nThe first step in the vulnerability assessment process is threat identification. Threat information\nis necessary to identify potential scenarios against which utilities should prepare. For example,\nsecurity preparations may differ for internal threats from disgruntled employees versus external\nthreats from vandals or terrorists. The next step in the vulnerability assessment process\ndetermines how well a utility can detect a problem. This includes reviewing security and\nmonitoring features; for example, how quickly a utility discovered a contaminant in the\ndistribution system. The third step measures the delay system. This involves an examination of\nbarriers such as gates, fences, locks, and walls. The next step measures response capabilities by\nreviewing the capacity of local, State, and Federal authorities to respond and neutralize the\nadversary. Another step for some utilities is to examine the remote access system, commonly\nknown as the SCADA system. This involves assessing the computer system to determine the\nease at which someone could control the utility remotely.\n\n\n                     DRAFT - FOR REVIEW AND COMMENT PURPOSES ONLY\n                                                 5\n\x0cThe following sections provide detailed information from the survey results on the usefulness of\nthe information provided to water utilities. Differences between the number of responses and\ntotal number of utilities indicate that some utilities did not receive information from that source.\nTwo of the water utilities most frequently responded \xe2\x80\x9cnot useful\xe2\x80\x9d or \xe2\x80\x9cnot very useful\xe2\x80\x9d about the\ninformation they obtained from EPA and other sources.\n\nMany Sources Provided Useful Threat Information\n\nThe survey shows that a variety of sources provided useful threat information to help water\nutilities prepare vulnerability assessments. The survey shows that respondents most frequently\ncited consultants hired by water utilities and EPA as providing useful threat information. Of the\n16 water utilities surveyed, 13 responded favorably about information obtained from consultants\nthey hired, including five utilities that described the information they received as \xe2\x80\x9cvery useful.\xe2\x80\x9d\nIn addition, 12 of the 16 utilities responded that EPA provided useful threat information.\nAccording to respondents, other sources of useful threat information included the Water-ISAC,\nAWWA, water security experts, and local law enforcement agencies.\n\n                                                         Figure 2: Satisfaction with Threat Information\n\n\n\n\n                                           Not Very Useful               Not Useful       Neutral   Useful           Very Useful\n     Number of Utilities (16)\n\n\n\n\n                                16\n                                14\n                                12\n                                10\n                                 8\n                                 6\n                                 4\n                                 2\n                                 0\n                                                                                                        A\n\n\n                                                                                                                                   A\n                                                    S\n\n\n\n\n                                                                                            AC\n                                       A\n\n\n\n\n                                                                C\n                                              I\n\n\n\n\n                                                                                             cy\n\n\n\n\n                                                                                              d\n\n\n\n\n                                                                                                                                         er\n                                                                                               t\n\n\n\n\n                                                                                                                                  nt\n\n\n                                                                                                                                  rt\n                                                                                              y\n                                            FB\n\n\n\n\n                                                                                            en\n\n\n\n\n                                                                                                     W\n                                                                                            ar\n\n\n\n\n                                                                                                                                W\n                                                    H\n                                     EP\n\n\n\n\n                                                               D\n\n\n\n\n                                                                                                                               pe\n                                                                                           nc\n\n\n\n\n                                                                                                                              lta\n\n\n\n\n                                                                                                                                       th\n                                                                                          en\n                                                   D\n\n\n\n\n                                                                                         -IS\n                                                           C\n\n\n\n\n                                                                                        em\n\n\n\n\n                                                                                          G\n\n\n                                                                                                    R\n\n                                                                                                            AW\n\n\n\n\n                                                                                                                                       O\n                                                                                        ge\n\n\n\n\n                                                                                                                           Ex\n                                                                                                                           su\n                                                                                      Ag\n\n\n\n\n                                                                                                    N\n                                                                                      fra\n                                                                                      er\n                                                                                     rc\n                                                                    lA\n\n\n\n\n                                                                                                                       on\n\n\n                                                                                                                         y\n                                                                                   In\n                                                                                   at\n                                                                                    e\n\n\n                                                                                  fo\n\n\n\n\n                                                                                                                      rit\n                                                                  ra\n\n\n\n\n                                                                                                                      C\n                                                                                 at\n\n\n\n\n                                                                               W\n                                                                              En\n\n\n\n\n                                                                                                                    cu\n                                                               de\n\n\n                                                                              St\n\n\n\n\n                                                                                                                  Se\n                                                                           aw\n                                                          Fe\n\n\n\n\n                                                                                                               er\n                                                                        lL\n                                                          er\n\n\n\n\n                                                                                                             at\n                                                                      ca\n                                                        th\n\n\n\n\n                                                                                                                 W\n                                                    O\n\n\n\n\n                                                                    Lo\n\n\n\n\n EPA - Environmental Protection Agency\n FBI - Federal Bureau of Investigation\n DHS - Department of Homeland Security\n CDC - Centers for Disease Control and Prevention\n NRWA - National Rural Water Association\n AWWA - American Water Works Association\n\n\n\n\n                                                  DRAFT - FOR REVIEW AND COMMENT PURPOSES ONLY\n                                                                                      6\n\x0cConsultants Provided Useful Detection Information\n\nThe survey responses show that, of the sources that provided detection information to water\nutilities, respondents most frequently cited consultants hired by water utilities as providing useful\ndetection information. Of the 16 water utilities, 13 responded favorably about information\nobtained from consultants they hired, including five utilities that described the information they\nreceived as \xe2\x80\x9cvery useful.\xe2\x80\x9d In addition to consultants, the AWWA, local law enforcement, Water-\nISAC, and EPA also provided useful detection information for five to seven of the utilities.\n\n                                                   Figure 3: Satisfaction with Detection Information\n\n\n\n                                               Not Very Useful                        Not Useful    Neutral          Useful      Very Useful\n\n                              16\n\n                              14\n   Number of Utilities (16)\n\n\n\n\n                              12\n\n                              10\n\n                               8\n\n                               6\n\n                               4\n\n                               2\n\n                               0\n                                                            C\n\n\n\n\n                                                                                                                 d\n                                          I\n\n\n                                               S\n\n\n\n\n                                                                                                                                                             er\n                                                                                                                       A\n                                     A\n\n\n\n\n                                                                                                                                                     nt\n                                                                                                  AC\n                                         FB\n\n\n\n\n                                                                                                                                                     A\n                                                                                                    t\n                                                                                    cy\n                                                                          y\n\n\n\n\n                                                                                                               ar\n\n\n\n\n                                                                                                                                                    rt\n                                                                                                  en\n                                               H\n\n\n\n                                                        D\n\n\n\n\n                                                                                                                      W\n                                   EP\n\n\n\n\n                                                                                                                             W\n                                                                      nc\n\n\n\n\n                                                                                                                                                           th\n                                                                                                                                                  ta\n\n\n                                                                                                                                                 pe\n                                              D\n\n\n\n                                                       C\n\n\n\n\n                                                                                                             G\n                                                                                  en\n\n\n\n\n                                                                                               -IS\n\n\n\n\n                                                                                                                      R\n                                                                                             em\n\n\n\n\n                                                                                                                                                          O\n                                                                                                                                                ul\n                                                                                                                           AW\n                                                                     ge\n\n\n\n\n                                                                                                         fra\n\n\n\n\n                                                                                                                                              Ex\n                                                                                                                     N\n                                                                               Ag\n\n\n\n\n                                                                                                                                             ns\n                                                                                            er\n                                                                 lA\n\n\n\n\n                                                                                          rc\n\n\n\n\n                                                                                                        In\n\n\n\n\n                                                                                                                                            o\n                                                                                         at\n\n\n\n\n                                                                                                                                           y\n                                                                                        fo\n                                                                              e\n\n\n\n\n                                                                                                                                         C\n                                                                ra\n\n\n\n\n                                                                                                                                        rit\n                                                                           at\n\n\n\n\n                                                                                       W\n                                                                                      En\n\n\n\n\n                                                                                                                                      cu\n                                                            de\n\n\n                                                                          St\n\n\n\n\n                                                                                                                                    Se\n                                                        Fe\n\n\n\n\n                                                                                    w\n                                                                                  La\n\n\n\n\n                                                                                                                                 er\n                                                       er\n\n\n\n\n                                                                                  l\n\n\n\n\n                                                                                                                              at\n                                                   th\n\n\n\n\n                                                                                ca\n\n\n\n\n                                                                                                                                  W\n                                                   O\n\n\n\n\n                                                                              Lo\n\n\n\n\n                                              DRAFT - FOR REVIEW AND COMMENT PURPOSES ONLY\n                                                                                             7\n\x0cConsultants and the AWWA Provided Useful Delay Information\n\nThe survey responses show that, of the sources that provided delay information, respondents\nmost frequently cited consultants hired by water utilities and the AWWA as providing useful\ndelay information. Of the 16 surveys, 12 listed consultants hired by water utilities as having\nuseful information, including six utilities who ranked the information as \xe2\x80\x9cvery useful.\xe2\x80\x9d In\naddition to consultants, 10 utilities listed AWWA as having provided useful delay information.\nLocal law enforcement also provided useful delay information for six of the utilities.\n\n                                                          Figure 4: Satisfaction with Delay Information\n\n\n\n                                                 Not Very Useful                     Not Useful         Neutral        Useful       Very Useful\n\n                              16\n\n                              14\n   Number of Utilities (16)\n\n\n\n\n                              12\n\n                              10\n\n                               8\n\n                               6\n\n                               4\n\n                               2\n\n                               0\n                                                                                                                   d\n                                                            C\n                                            I\n\n\n                                                  S\n\n\n\n\n                                                                                                                                                             er\n                                                                                                                          A\n                                      A\n\n\n\n\n                                                                                                                                           nt\n                                                                                                      AC\n                                          FB\n\n\n\n\n                                                                                                                                A\n                                                                                                        t\n                                                                                     y\n                                                                      cy\n\n\n\n\n                                                                                                                 ar\n                                                                                                      en\n\n\n\n\n                                                                                                                                                    rt\n                                                 H\n\n\n\n                                                           D\n\n\n\n\n                                                                                                                         W\n                                   EP\n\n\n\n\n                                                                                   c\n\n\n\n\n                                                                                                                                W\n\n\n\n\n                                                                                                                                                          th\n                                                                                                                                       lta\n\n\n\n                                                                                                                                                  pe\n                                                                                                                  G\n                                                                                en\n                                                D\n\n\n\n                                                          C\n\n\n                                                                    en\n\n\n\n\n                                                                                                   -IS\n\n\n\n\n                                                                                                                        R\n                                                                                         em\n\n\n\n\n                                                                                                                                                         O\n                                                                                                                              AW\n\n\n\n                                                                                                                                       su\n                                                                                                              fra\n\n\n\n\n                                                                                                                                                Ex\n                                                                                                                       N\n                                                                             Ag\n                                                                  Ag\n\n\n\n\n                                                                                                 er\n                                                                                         rc\n\n\n\n\n                                                                                                                                     on\n                                                                                                            In\n                                                                                               at\n\n\n\n\n                                                                                                                                                 y\n                                                                                       fo\n                                                                            e\n                                                                   l\n\n\n\n\n                                                                                                                                    C\n                                                                ra\n\n\n\n\n                                                                                                                                              rit\n                                                                          at\n\n\n\n\n                                                                                              W\n                                                                                     En\n\n\n\n\n                                                                                                                                           cu\n                                                              de\n\n\n                                                                       St\n\n\n\n\n                                                                                                                                        Se\n                                                            Fe\n\n\n\n\n                                                                                  w\n                                                                                La\n\n\n\n\n                                                                                                                                       er\n                                                         er\n\n\n\n\n                                                                                 l\n\n\n\n\n                                                                                                                                     at\n                                                      th\n\n\n\n\n                                                                              ca\n\n\n\n\n                                                                                                                                    W\n                                                      O\n\n\n\n\n                                                                           Lo\n\n\n\n\n                                                DRAFT - FOR REVIEW AND COMMENT PURPOSES ONLY\n                                                                                                8\n\x0cConsultants and the AWWA Provided Useful Response and Consequence Information\n\nThe survey responses show that, of the sources that provided response and consequence\nmitigation information, respondents most frequently cited consultants hired by water utilities and\nthe AWWA as providing useful response and consequence information. Of the 16 surveys, 11\nlisted consultants hired by water utilities as having useful information, including five utilities\nwho ranked the information as \xe2\x80\x9cvery useful.\xe2\x80\x9d In addition to consultants, nine utilities listed\nAWWA as providing useful response and consequence information. State agencies also\nprovided useful response and consequence information for six of the utilities.\n\n                                         Figure 5: Satisfaction with Response and Consequence Information\n\n\n\n                                                Not Very Useful                      Not Useful   Neutral       Useful       Very Useful\n\n                              16\n\n                              14\n   Number of Utilities (16)\n\n\n\n\n                              12\n\n                              10\n\n                               8\n\n                               6\n\n                               4\n\n                               2\n\n                               0\n                                                                                                                A\n                                                    S\n                                     A\n\n\n\n\n                                                                                                                         A\n                                            I\n\n\n\n\n                                                                C\n\n\n\n\n                                                                                                AC\n\n\n\n\n                                                                                                                                                      er\n                                                                                                   d\n                                                                                                   y\n\n\n\n\n                                                                                                                                  nt\n                                                                                                   t\n\n\n\n\n                                                                                                                                              rt\n                                         FB\n\n\n\n\n                                                                          cy\n\n\n\n\n                                                                                                en\n\n\n\n\n                                                                                                                W\n                                                                                                nc\n                                                H\n                                   EP\n\n\n\n\n                                                                                                                      W\n                                                                                                ar\n                                                               D\n\n\n\n\n                                                                                                                                           pe\n\n\n                                                                                                                                                    th\n                                                                                                                                 lta\n                                                D\n\n\n\n\n                                                                        en\n\n\n\n\n                                                                                             -IS\n                                                           C\n\n\n\n\n                                                                                              G\n\n\n                                                                                                            R\n\n                                                                                                                    AW\n                                                                                            em\n                                                                                     e\n\n\n\n\n                                                                                                                                                   O\n                                                                                                                                         Ex\n                                                                                                                               su\n                                                                                  Ag\n\n\n\n\n                                                                                                            N\n                                                                                          fra\n                                                                      Ag\n\n\n\n\n                                                                                         er\n                                                                                        rc\n\n\n\n\n                                                                                                                             on\n\n\n                                                                                                                                        ity\n                                                                                       In\n                                                                                       at\n                                                                                e\n\n\n                                                                                      fo\n                                                                      l\n\n\n\n\n                                                                                                                          C\n                                                                   ra\n\n\n                                                                             at\n\n\n\n\n                                                                                     W\n\n\n\n\n                                                                                                                                     ur\n                                                                                    En\n                                                                  e\n\n\n                                                                          St\n\n\n\n\n                                                                                                                                  ec\n                                                               ed\n\n\n\n\n                                                                                   aw\n\n\n\n\n                                                                                                                                   S\n                                                          rF\n\n\n\n\n                                                                                                                                er\n                                                                                 lL\n                                                           e\n\n\n\n\n                                                                                                                             at\n                                                                               ca\n                                                        th\n\n\n\n\n                                                                                                                          W\n                                                    O\n\n\n\n\n                                                                             Lo\n\n\n\n\n                                                DRAFT - FOR REVIEW AND COMMENT PURPOSES ONLY\n                                                                                           9\n\x0cConsultants Provided Useful Remote Access Information\n\nMany utilities use a remote access system, commonly known as SCADA, to control operations.\nThe survey responses show that, of the sources that provided SCADA information, respondents\nmost frequently cited consultants hired by water utilities as providing useful SCADA\ninformation. Of the 15 surveys,6 11 listed consultants hired by the water utilities as having useful\ninformation, including three utilities who ranked the information as \xe2\x80\x9cvery useful.\xe2\x80\x9d In addition to\nconsultants, six utilities listed AWWA and five utilities listed Water-ISAC as providing useful\nSCADA information.\n\n                                                     Figure 6: Satisfaction with Remote Access Information\n\n\n\n                                               Not Very Useful                 Not Useful            Neutral       Useful        Very Useful\n\n                               15\n    Number of Utilities (15)\n\n\n\n\n                               12\n\n                                   9\n\n                                   6\n\n                                   3\n\n                                   0\n                                          A\n\n\n\n\n                                                                                                                      A\n\n\n                                                                                                                             A\n                                                     HS\n\n\n\n\n                                                                                                     AC\n                                                I\n\n\n\n\n                                                              C\n\n\n\n\n                                                                                                                                                        er\n                                                                                                               d\n                                                                                   y\n\n\n\n\n                                                                                                                                        nt\n                                                                                                      t\n\n\n\n\n                                                                                                                                                 rt\n                                              FB\n\n\n\n\n                                                                        y\n\n\n\n\n                                                                                             en\n\n\n\n\n                                                                                                                            W\n                                                                                                                     W\n                                                                                 nc\n\n\n\n\n                                                                                                             ar\n                                       EP\n\n\n\n\n                                                            CD\n\n\n\n\n                                                                                                                                                pe\n                                                                      nc\n\n\n\n\n                                                                                                                                     lta\n\n\n\n\n                                                                                                                                                       th\n                                                    D\n\n\n\n\n                                                                                                 - IS\n\n\n                                                                                                            G\n\n                                                                                                                   NR\n\n\n                                                                                                                          AW\n                                                                                           m\n                                                                                  e\n\n\n\n\n                                                                                                                                                      O\n                                                                    ge\n\n\n\n\n                                                                                                                                              Ex\n                                                                                                                                  su\n                                                                               Ag\n\n\n\n\n                                                                                                          fra\n                                                                                         ce\n\n\n                                                                                               er\n                                                                   lA\n\n\n\n\n                                                                                                                                on\n\n\n                                                                                                                                         ity\n                                                                                        or\n\n\n\n\n                                                                                                       In\n                                                                                                at\n                                                                          te\n                                                                 ra\n\n\n\n\n                                                                                                                               C\n                                                                                         f\n\n                                                                                               W\n\n\n\n\n                                                                                                                                          r\n                                                                           a\n\n                                                                                      En\n\n\n\n\n                                                                                                                                       cu\n                                                               e\n\n\n                                                                        St\n                                                            ed\n\n\n\n\n                                                                                                                                     Se\n                                                                                aw\n                                                             F\n\n\n\n\n                                                                                                                                 er\n                                                                            lL\n                                                          er\n\n\n\n\n                                                                                                                                at\n                                                                          ca\n                                                       th\n\n\n\n\n                                                                                                                               W\n                                                      O\n\n\n\n\n                                                                        Lo\n\n\n\n\nImprovements Needed to Secure Water Systems\n\nEPA\xe2\x80\x99s Strategic Plan focuses on preparedness and prevention, assisting those responsible for\ncritical infrastructures in assessing and reducing vulnerabilities and maximizing their response\ncapabilities. EPA also intends to develop technologies to improve the Nation\xe2\x80\x99s critical\ninfrastructure and key responders\xe2\x80\x99 abilities to detect and monitor environmental threats. The\nsurvey asked questions to help determine utilities\xe2\x80\x99 technological needs. All the utilities surveyed\nhad concerns for water security described in more detail below. The concerns include:\n\n\n\n                               6\n                                One utility did not have a SCADA system.\n\n                                                    DRAFT - FOR REVIEW AND COMMENT PURPOSES ONLY\n                                                                                               10\n\x0c\xe2\x80\xa2                                         additional information regarding vulnerabilities;\n\xe2\x80\xa2                                         financing security improvements;\n\xe2\x80\xa2                                         training assistance;\n\xe2\x80\xa2                                         research; and\n\xe2\x80\xa2                                         procedural changes.\n\nAdditional Information Needed by Utilities\n\nThe survey results show that water utilities still have a need for more information regarding\nthreats, detection assistance, delay, response and consequence mitigation, and SCADA (see\nFigure 7).\n\n                                                  Figure 7: Number of Utilities That Would Like Additional Information\n\n\n                                     16\n\n                                                                                   Some        A Lot\n\n                                     14\n\n\n\n\n                                     12\n    Number of Utilities (Total 16)\n\n\n\n\n                                     10\n\n\n\n\n                                     8\n\n\n\n\n                                     6\n\n\n\n\n                                     4\n\n\n\n\n                                     2\n\n\n\n\n                                     0\n\n                                           Threat Information   Detection Assistance           Delay   Response          SCADA\n\n\n\n\nEPA funded the Water-ISAC to promote information sharing on water security. The Water-\nISAC claims to provide information to water utilities that serve 80 percent of all drinking water\ncustomers. Five of the utilities in our survey, however, responded that they want better access to\nthreat information, including access to the Water-ISAC database which is only available on a\nsubscription fee basis. In addition, four utilities (including two medium sized utilities) did not\nobtain threat information from the Water-ISAC. We do not know why the utilities did not obtain\nthreat information from the Water-ISAC.\n\n                                                        DRAFT - FOR REVIEW AND COMMENT PURPOSES ONLY\n                                                                                          11\n\x0c                      Financial Assistance Needed by Utilities\n\n                      Utilities stated that they need financial assistance to make necessary security improvements. 11\n                      of the 16 water utilities estimated that they would spend more than $100,000 during the next 12\n                      months on water security improvements, including four utilities who are planning to spend more\n                      than $1 million (see Figure 8).\n\n\n                        Figure 8: Amount of Money Water Utilities Expect to Spend in the Next 12 Months on Security\n                                                              Improvements\n\n\n                        7\n\n\n\n                        6\n\n\n\n                        5\nNumber of Utilities\n\n\n\n\n                        4\n\n\n\n                        3\n\n\n\n                        2\n\n\n\n                        1\n\n\n\n                        0\n                                <10            10-49             50-99          100-499    500-999         >1,000\n\n                                                                 Dollars in Thousands\n\n\n\n\n                                          DRAFT - FOR REVIEW AND COMMENT PURPOSES ONLY\n                                                                         12\n\x0cOf the 16 utilities, 11 stated that they may limit security improvements to those that they can\nafford and/or budget as capital improvement projects. Several utilities stated that they would\nissue bonds or raise water rates to cover the costs of security improvements (see Figure 9).\n\n\n                                                 Figure 9: How Water Utilities Plan to Pay for Security Improvements7\n\n                                     16\n\n\n\n\n                                     14\n\n\n\n\n                                     12\n    Number of Responses (16 Total)\n\n\n\n\n                                     10\n\n\n\n\n                                      8\n\n\n\n\n                                      6\n\n\n\n\n                                      4\n\n\n\n\n                                      2\n\n\n\n\n                                      0\n                                             Financial     EPA Drinking State Financial   Increase Water   Issue Water         Limit      Future Capital   Other\n                                          Assistance from  Water State    Assistance           Rates       Utility Bonds   Improvements   Improvements\n                                                EPA       Revolving Fund\n\n\n\n\nSeven of the 16 utilities responded that they needed financial assistance. EPA\xe2\x80\x99s financial\nassistance, however, has been limited to ensuring that drinking water utilities receive technical\nassistance and training on vulnerability assessments and emergency response plans, but not\nfunding for the improvements themselves. Three utilities indicated that they plan to use EPA\xe2\x80\x99s\nDrinking Water State Revolving Fund to help pay for security improvements. It is unknown\nwhether the 13 utilities who are not planning on using the Drinking Water State Revolving Fund\nrealize that they can use the fund to provide assistance for implementing infrastructure-related\nsecurity measures.\n\n\n\n\n                                     7\n                                      The survey allowed respondents to check more than one answer.\n\n\n                                                         DRAFT - FOR REVIEW AND COMMENT PURPOSES ONLY\n                                                                                                  13\n\x0cTraining Needs\n\nOf the 16 utilities, 14 described additional training that their employees needed to improve\nsecurity. The training needs ranged from general seminars on security awareness to specific\ntraining such as crime scene preservation. Of the 16 utilities, 14 stated that they needed\nadditional training in emergency response, including identifying and detecting threats. Four of\nthe utilities stated that they wanted to conduct training exercises or drills to help them prepare for\nactual security events.\n\nResearch Needs\n\nTwelve utilities stated that they would like EPA to fund research on monitoring and detecting\ncontaminants. The utilities stated that they would like to have real-time monitoring of water\nsystems to detect chemical and biological agents, particularly in the distribution system, which\nmany experts view as the most susceptible to terrorist attack.\n\nProcedural Changes Needed\n\nEight survey respondents stated that they would like to see specific procedural changes made to\nimprove security, while six stated that they did not want any changes. Since there was no\nconsensus about changes needed, the following list reflects the respondents\xe2\x80\x99 suggestions,\nincluding those that would likely be addressed by State or local authorities:\n\n\xe2\x80\xa2      Include security practices as part of water operations certification training.\n\xe2\x80\xa2      Provide a time frame for renewing vulnerability assessments.\n\xe2\x80\xa2      Change the rules governing the awarding and uses of Drinking Water State Revolving\n       Fund loans and grants.\n\xe2\x80\xa2      Establish security standards for water utilities.\n\xe2\x80\xa2      Modify the Freedom of Information Act to protect sensitive information about water\n       facilities.\n\xe2\x80\xa2      Improve the ability to conduct background checks on employees.\n\xe2\x80\xa2      Provide additional State police to respond to malevolent acts.\n\nPerformance Indicators that EPA Could Use to Measure\nImprovements in Water Security Levels\n\nIn our report EPA Needs a Better Strategy to Measure Changes in the Security of the Nation\xe2\x80\x99s\nWater Infrastructure (Report No. 2003-M-00016), dated September 11, 2003, we suggested that\nEPA develop performance indicators to measure changes in water security. EPA stated that they\nwould welcome recommendations and assistance in this area. In our survey, we asked water\nutilities to respond to questions about performance indicators that could be used to measure\nchanges in water security. We used the input from the survey to develop the following\nperformance indicators which could be used to measure changes in water security levels.\n\n\n\n                     DRAFT - FOR REVIEW AND COMMENT PURPOSES ONLY\n                                                 14\n\x0c         Length of time a water utility could provide water during or after a security incident\n\n         Eleven of the utilities mentioned this type of performance indicator. This\n         indicator would incorporate improvements made by water utilities such as\n         adding storage facilities, interconnections, and emergency backup power\n         sources.\n\n         Detection and response times\n\n         Twelve utilities mentioned this performance indicator. Exercises could be\n         performed at water utilities with a variety of threat scenarios to determine the\n         length of time to detect and respond to threats. The drills could also be used\n         to determine whether utility employees utilized appropriate response\n         procedures.\n\n         Ability to detect contaminants in water system\n\n         Ten utilities mentioned this performance indicator. Detection is critical for a\n         water utility to adequately respond to threats. Utilities also suggested\n         measuring the number of contaminants or the timeliness of detecting\n         particular contaminants in the water system. Tests could also monitor the\n         timeliness of the laboratory used by the utility to identify contaminants.\n\n         Ability to detect attempted intrusions into the SCADA system\n\n         Seven utilities mentioned this performance indicator. Water utilities could\n         document the number of attempted intrusions into their SCADA systems to\n         track the level of interest in the water system.\n\n\n\nSuggestions\n\nBased on the survey results and our observations, we offer the following suggestions:\n\n       (1)     Ensure that small utilities have access to security information that large utilities\n               received from consultants funded by EPA, possibly by fully funding the Water-\n               ISAC, and provide lists of other agencies from which utilities could obtain\n               information.\n\n       (2)     Ensure that water utilities have access to information on funding security\n               enhancements, including use of the Drinking Water State Revolving Fund.\n\n       (3)     Consider using the performance indicators discussed above to set a baseline for\n               water security and measure improvements over time, particularly through the use\n               of exercises and drills to test the security of water utilities.\n\n                    DRAFT - FOR REVIEW AND COMMENT PURPOSES ONLY\n                                                 15\n\x0c                                           Survey of Water Security                     Appendix A\n\nThe following series of questions deal with information or guidance the drinking water utility\nreceived, and its usefulness in preparing for a vulnerability assessment.\n\n1. Threats \xe2\x80\x93 In order to conduct a vulnerability assessment, a utility needs to determine or\n   evaluate potential threats, often referred to as a design basis threat. The design basis threat is\n   based on understanding the motives, intentions, and capabilities of the utility\xe2\x80\x99s adversaries.\n\n   Below are a list of sources from which your drinking water utility may have received\n   information or guidance on THREATS. Please rate the usefulness of the information you\n   received on a scale from one to five, where one is not at all useful and five is very useful. If\n   you did not receive information from a listed source, please check that box.\n                                                                  Not           Very\n                                                                  useful       useful     Did not\n                                                                                           receive\n Sources of Threat Information (check all that apply)             1*   2   3   4   5*   information\n\n Environmental Protection Agency (EPA)\n\n Federal Bureau of Investigation (FBI)\n\n Department of Homeland Security\n\n Centers for Disease Control (CDC)\n\n Other Federal agency\n Please specify\n\n State agency\n Please specify\n\n Local law enforcement (Police, Sheriff)\n\n Water Information Sharing and Analysis Center (Water-ISAC)\n\n InfraGard\n\n National Rural Water Association (NRWA)\n\n American Water Works Association (AWWA)\n\n Consultant hired to prepare vulnerability assessment\n\n Water security expert\n\n Other \xe2\x80\x93 Please specify\n* provide explanation for answers with either 1 (not at all useful) or 5 (very useful)\n\n\n\n\n                          DRAFT - FOR REVIEW AND COMMENT PURPOSES ONLY\n                                                        16\n\x0c2. Detection \xe2\x80\x93 Detection (1) senses an act of aggression, (2) assesses the validity of the\n   detection, and (3) communicates the appropriate information to a response force. A detection\n   system must provide all three of these capabilities to be effective. A detection system may\n   consist of closed-circuit television, cameras, motion sensors, alarms, door or window sensors,\n   and chemical and biological monitoring and detection technologies.\n\n   Below are a list of sources from which your drinking water utility may have received\n   information or guidance on DETECTION. Please rate the usefulness of the information you\n   received on a scale from one to five, where one is not at all useful and five is very useful. If\n   you did not receive information from a listed source, please check that box.\n                                                              Not             Very\n                                                              useful         useful     Did not\n Sources of Detection Information (check all that                                        receive\n apply)                                                       1*   2    3    4   5*   information\n\n Environmental Protection Agency (EPA)\n\n Federal Bureau of Investigation (FBI)\n\n Department of Homeland Security\n\n Centers for Disease Control (CDC)\n\n Other Federal agency\n Please specify\n\n State agency\n Please specify\n\n Local law enforcement (Police, Sheriff)\n\n Water Information Sharing and Analysis Center (Water-ISAC)\n\n InfraGard\n\n National Rural Water Association (NRWA)\n\n American Water Works Association (AWWA)\n\n Consultant hired to prepare vulnerability assessment\n\n Water security expert\n\n Other \xe2\x80\x93 Please specify\n* provide explanation for answers with either 1 (not at all useful) or 5 (very useful)\n\n\n\n\n                          DRAFT - FOR REVIEW AND COMMENT PURPOSES ONLY\n                                                        17\n\x0c3. Delay \xe2\x80\x93 Delay is any mechanisms in place to delay the intruder, after detection, from\n   damaging the utility or contaminating the water. Defensive measures protect an asset by\n   delaying an adversary\xe2\x80\x99s movement toward the asset or by shielding the water from\n   contamination. Delay measures include such things as fencing, locks, and grates or bars on\n   windows.\n\n   Below are a list of sources from which your drinking water utility may have received\n   information or guidance on DELAY. Please rate the usefulness of the information you\n   received on a scale from one to five, where one is not at all useful and five is very useful. If\n   you did not receive information from a listed source, please check that box.\n                                                              Not              Very\n                                                              useful          useful     Did not\n                                                                                          receive\n Sources of Delay Information (check all that apply)          1*    2    3    4   5*   information\n\n Environmental Protection Agency (EPA)\n\n Federal Bureau of Investigation (FBI)\n\n Department of Homeland Security\n\n Centers for Disease Control (CDC)\n\n Other Federal agency\n Please specify\n\n State agency\n Please specify\n\n Local law enforcement (Police, Sheriff)\n\n Water Information Sharing and Analysis Center (Water-ISAC)\n\n InfraGard\n\n National Rural Water Association (NRWA)\n\n American Water Works Association (AWWA)\n\n Consultant hired to prepare vulnerability assessment\n\n Water security expert\n\n Other \xe2\x80\x93 Please specify\n* provide explanation for answers with either 1 (not at all useful) or 5 (very useful)\n\n\n\n\n                          DRAFT - FOR REVIEW AND COMMENT PURPOSES ONLY\n                                                        18\n\x0c4. Response/Consequence Mitigation \xe2\x80\x93 Consequences are outcomes that can happen if an\n   adversary successfully carries out a threat. Consequences of a threat carried out on a water\n   supply can affect the quantity and/or quality of water supplied, as well as general sanitation\n   and safety issues in a community.\n\n   Below are a list of sources from which your drinking water utility may have received\n   information or guidance on RESPONSE/CONSEQUENCE MITIGATION. Please rate\n   the usefulness of the information you received on a scale from one to five, where one is not at\n   all useful and five is very useful. If you did not receive information from a listed source,\n   please check that box.\n                                                              Not             Very\n                                                              useful         useful     Did not\n Sources of Response/Consequence Mitigation                                              receive\n Information (check all that apply)                           1*   2    3    4   5*   information\n\n Environmental Protection Agency (EPA)\n\n Federal Bureau of Investigation (FBI)\n\n Department of Homeland Security\n\n Centers for Disease Control (CDC)\n\n Other Federal agency\n Please specify\n\n State agency\n Please specify\n\n Local law enforcement (Police, Sheriff)\n\n Water Information Sharing and Analysis Center (Water-ISAC)\n\n InfraGard\n\n National Rural Water Association (NRWA)\n\n American Water Works Association (AWWA)\n\n Consultant hired to prepare vulnerability assessment\n\n Water security expert\n\n Other \xe2\x80\x93 Please specify\n* provide explanation for answers with either 1 (not at all useful) or 5 (very useful)\n\n\n\n\n                          DRAFT - FOR REVIEW AND COMMENT PURPOSES ONLY\n                                                        19\n\x0c5. Cyber \xe2\x80\x93 Water utility components are often controlled remotely by computer systems called\n   Supervisory Control and Data Acquisition (SCADA). These SCADA systems are susceptible\n   to attack by computer hackers who could shut down critical assets within the water utility.\n\n   Below are a list of sources from which your drinking water utility may have received\n   information or guidance on SCADA SECURITY. Please rate the usefulness of the\n   information you received on a scale from one to five, where one is not at all useful and five is\n   very useful. If you did not receive information from a listed source, please check that box.\n                                                              Not             Very\n                                                              useful         useful     Did not\n Sources of SCADA Security Information (check all                                        receive\n that apply)                                                  1*   2    3   4    5*   information\n\n Environmental Protection Agency (EPA)\n\n Federal Bureau of Investigation (FBI)\n\n Department of Homeland Security\n\n Centers for Disease Control (CDC)\n\n Other Federal agency\n Please specify\n\n State agency\n Please specify\n\n Local law enforcement (Police, Sheriff)\n\n Water Information Sharing and Analysis Center (Water-ISAC)\n\n InfraGard\n\n National Rural Water Association (NRWA)\n\n American Water Works Association (AWWA)\n\n Consultant hired to prepare vulnerability assessment\n\n Water security expert\n\n Other \xe2\x80\x93 Please specify\n* provide explanation for answers with either 1 (not at all useful) or 5 (very useful)\n\n\n\n\n                          DRAFT - FOR REVIEW AND COMMENT PURPOSES ONLY\n                                                        20\n\x0cPerformance Measurement Information\n\n6.   What performance indicators would best measure changes in the overall level of water\n     security? (Some examples may include: length of time your water utility could supply\n     water in the event of a disaster, length of time your water utility could operate on\n     emergency backup power sources, amount of water storage your utility has).\n\n      ___________________________________________________________________\n\n      ___________________________________________________________________\n\n      ___________________________________________________________________\n\n\n7.   Should there be separate performance indicators that would measure changes for each\n     component of the water utility (source water, treatment, storage, distribution)? What\n     performance indicators would best measure these changes?\n\n      ___________________________________________________________________\n\n      ___________________________________________________________________\n\n      ___________________________________________________________________\n\n\n8.   What performance indicators would best measure changes in threat detection? (Some\n     examples may include: number of contaminants your water utility can detect in the\n     distribution system, amount of time it takes to determine whether a detection event is a real\n     threat or false alarm).\n\n      ___________________________________________________________________\n\n      ___________________________________________________________________\n\n      ___________________________________________________________________\n\n9.   What performance indicators would best measure changes in adversary delay? (An\n     example may include: amount of time the utility can delay threats compared to response\n     time).\n\n      ___________________________________________________________________\n\n      ___________________________________________________________________\n\n      ___________________________________________________________________\n\n                   DRAFT - FOR REVIEW AND COMMENT PURPOSES ONLY\n                                               21\n\x0c10.   What performance indicators would best measure changes in response/consequence\n      mitigation? (An example may include: number of employees that follow the proper\n      response to specific threat scenarios in practice exercises)?\n\n       ___________________________________________________________________\n\n       ___________________________________________________________________\n\n       ___________________________________________________________________\n\n\n11.   What performance indicators would best measure changes in SCADA security systems?\n      (An example may include: the number of attempts to hack into the system).\n\n       ___________________________________________________________________\n\n       ___________________________________________________________________\n\n       ___________________________________________________________________\n\n\n\n\n                   DRAFT - FOR REVIEW AND COMMENT PURPOSES ONLY\n                                             22\n\x0cResource/Training Needs\n\n\n12.   How much money does your utility expect to spend on security enhancements over the next\n      12 months?\n      ____ < $10,000\n      ____ $10,000 - $50,000\n      ____ $50,000 - $100,000\n      ____ $100,000 - $500,000\n      ____ $500,000 - $1,000,000\n      ____ $1,000,000+\n      ____ Don\xe2\x80\x99t know\n\n13.   By what means is your utility planning to pay for needed security enhancements?\n\n                                                                                                         Don\xe2\x80\x99t\n                                                                                             Yes    No   Know\n      a.    Financial assistance from EPA . . . . . . . . . . . . . . . . . . . 1                    2      3\n      b.    EPA State Revolving Fund . . . . . . . . . . . . . . . . . . . . . . 1                   2      3\n      c.    Financial assistance from the State . . . . . . . . . . . . . . . . 1                    2      3\n      d.    Increase water rates . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1           2      3\n      e.    Issue water utility bonds . . . . . . . . . . . . . . . . . . . . . . . . 1              2      3\n      f.    Limit improvements to those which\n            the utility can afford . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1        2      3\n      g.    Budget for future Capitol Improvement projects . . . . . . 1                            2      3\n      h.    Other . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1   2      3\n            (Please specify _______________________)\n\n14.   In which of the following areas do you need more assistance (check all that apply)?\n                                                                                          Little Some A Lot\n      a.   Threat information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1          2    3\n      b.   Detection assistance . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1          2    3\n      c.   Delay . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1   2    3\n      d.   Response . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1      2    3\n      e.   SCADA . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1       2    3\n\n15.   What specific assistance do you need (if any)?\n\n      ________________________________________________________________\n\n      ________________________________________________________________\n\n\n\n\n                         DRAFT - FOR REVIEW AND COMMENT PURPOSES ONLY\n                                                                23\n\x0c16.   Please describe the kinds of training employees at your facility need to improve security or\n      response?\n\n      ________________________________________________________________\n\n      ________________________________________________________________\n\n      ________________________________________________________________\n\n\n17.   What kinds of regulatory changes (if any) does your utility need to help improve security?\n\n      ________________________________________________________________\n\n      ________________________________________________________________\n\n      ________________________________________________________________\n\n\n18.   What types of research (if any) would be most beneficial to improve security?\n\n      ________________________________________________________________\n\n      ________________________________________________________________\n\n      ________________________________________________________________\n\n\n19.   Do you have any additional comments or concerns regarding water security?\n\n      ________________________________________________________________\n\n      ________________________________________________________________\n\n\n\n\n                    DRAFT - FOR REVIEW AND COMMENT PURPOSES ONLY\n                                                24\n\x0cBackground Information\n\nUtility Name:                     ____________________________________________________\n\n20.   What is the population served by your utility?\n\n      ____Less than 3,300\n      ____3,300 - 50,000\n      ____50,000 - 100,000\n      ____100,000 - 1,000,000\n      ____1,000,000 - 3,000,000\n      ____3,000,000+\n\n21.   Who performed the vulnerability assessment at your utility (check all that apply)?\n\n      _____A consultant with expertise preparing a vulnerability assessment\n      _____A security expert employed by the utility\n      _____Other utility employee - please specify employee\xe2\x80\x99s title _________________\n      _____Someone else - please specify _____________________________________\n      _____Don\xe2\x80\x99t know\n\n\n22.   Please indicate your utility\xe2\x80\x99s current status in:\n\n                                                                         Planning     Conducting Completed\n      a.   Vulnerability assessment . . . . . . . . . . . . . . . . . . . . . . . 1        2        3\n      b.   Emergency response plan . . . . . . . . . . . . . . . . . . . . . . 1           2        3\n      c.   Implementing security improvements . . . . . . . . . . . . . 1                  2        3\n\n\n23.   What tools and methods were used to conduct your drinking water utility\xe2\x80\x99s vulnerability\n      assessment (check all that apply)?\n\n      _____Risk Assessment Methodology-Water (RAM-W)\n      _____Vulnerability Self Assessment Tool (VSAT) software\n      _____National Rural Water Association (NRWA) checklist\n      _____Other - please specify_____________________________________________\n      _____Don\xe2\x80\x99t know\n\n      THANK YOU FOR YOUR ASSISTANCE IN COMPLETING THIS SURVEY.\n\n\n\n\n                      DRAFT - FOR REVIEW AND COMMENT PURPOSES ONLY\n                                                       25\n\x0c'